ok

Mini Shell

Direktori : /opt/imunify360/venv/lib/python3.11/site-packages/im360/subsys/__pycache__/
Upload File :
Current File : //opt/imunify360/venv/lib/python3.11/site-packages/im360/subsys/__pycache__/csf.cpython-311.pyc

�

g�*����ddlZddlZddlZddlmZddlmZddlZddlm	Z	m
Z
mZddlm
Z
ddlmZmZmZmZmZmZddlmZddlmZmZmZmZmZd	Zej�ed
��Z ej�ed��Z!ej�ed��Z"ej�ed
��Z#dZ$dZ%e"ge#e!gd�Z&ej'e(��Z)de*de+fd�Z,Gd�de
��Z-d�Z.dd�d�Z/dd�d�Z0d�Z1d�Z2de*fd�Z3dee
effd�Z4dee
effd �Z5dee
effd!�Z6d"�Z7d#�Z8eed$e8�%��d&���Z9d'�Z:d(�Z;d)�Z<d*�Z=d+�Z>d,�Z?d1d-�Z@d.�ZAd/�ZBd0�ZCdS)2�N)�suppress)�Union)�
ip_network�IPv4Network�IPv6Network)�KWConfig)�	check_run�
CheckRunError�retry_on�run�run_coro�FileLock)�IP)�listening_ports�TCP�UDP�IN�OUTz/etc/csfzcsf.confz
csf.ignorezcsf.denyz	csf.allowz/var/lib/csf/csf.lock�)�BLACK�WHITE�do_lock�lock_timeoutc������fd�}|S)Nc�L���tj������fd���}|S)z�
        Decorator to disable concurrent rule editing with CSF
        Method is executed with holding lock file used by CSF
        to prevent it's start or restart
        while imunify360 is editing iptables rules
        :return:
        c���K��rttj�t��rPt	t����4�d{V���|i|���d{V��cddd���d{V��S#1�d{V��swxYwYdS�|i|���d{V��S)N)�path�timeout)�osr�isfile�
CSF_LOCK_PATHr)�args�kwargsr�funcrs  ����E/opt/imunify360/venv/lib/python3.11/site-packages/im360/subsys/csf.py�wrapperz,csf_coop.<locals>.decorator.<locals>.wrapper0sB������
3�2�7�>�>�-�8�8�
3�#���M�M�M�7�7�7�7�7�7�7�7�!%��t�!6�v�!6�!6�6�6�6�6�6�6�7�7�7�7�7�7�7�7�7�7�7�7�7�7�7�7�7�7�7�7�7�7�7�7����7�7�7�7�7�7�"�T�4�2�6�2�2�2�2�2�2�2�2�2s�A'�'
A1�4A1)�	functools�wraps)r$r&rrs` ��r%�	decoratorzcsf_coop.<locals>.decorator'sE����
���	�	�	3�	3�	3�	3�	3�	3�
�	�	3����)rrr)s`` r%�csf_coopr,&s*����������(�r*c��eZdZdZdZeZdZdS)�Configz^\s*{}\s*=\s*"(.*?)".*$z	{} = "{}"FN)�__name__�
__module__�__qualname__�SEARCH_PATTERN�
WRITE_PATTERN�
CSF_CONFIG�DEFAULT_FILENAME�ALLOW_EMPTY_CONFIGr+r*r%r.r.>s&������/�N��M�!�����r*r.c��t||��}t|�����}t|��S)zq
    Get set of open ports and ports ranges in csf.conf
    :param proto:
    :param direction:
    :return:
    )�_form_conn_namer.�get�_parse_ports)�proto�	direction�name�datas    r%�	get_portsr?Es8���5�)�,�,�D��$�<�<�����D�����r*)�rangesc�l�t||��}t||��\}}h|�}|�|��r|�|�|��rdS|�|��|r|�|��t	||��}t|���|��dS)z�
    Add open ports or port ranges to csf.conf
    :param proto:
    :param direction:
    :param ports:
    :param ranges:
    :return: True if changes made, False otherwise
    :rtype: boolean
    NFT)r8r?�issubset�update�_pack_portsr.�set)	r;r<r@�portsr=�p�r�ps�outs	         r%�	add_portsrKQs����5�)�,�,�D��U�I�&�&�D�A�q�	�5��B�	�{�{�1�~�~��6�>�V�_�_�Q�-?�-?�>��u��H�H�R�L�L�L�
��	�������
�a��
�
�C�
�4�L�L���S�����4r*c���t||��}t||��\}}h|�}||z
}|r||z
}t||��}t|���|��dS)z�
    Remove open ports or port ranges from csf.conf
    :param proto:
    :param direction:
    :param ports:
    :param ranges:
    :return:
    N)r8r?rDr.rE)	r;r<r@rFr=rGrH�ports_to_removerJs	         r%�remove_portsrNhsy���5�)�,�,�D��U�I�&�&�D�A�q���h�O�	�O��A�
��
��J��
�a��
�
�C�
�4�L�L���S�����r*c��VK�d}tj�|��sdS	t|dg���d{V��\}}}n#t$rYdSwxYw|dkrt
�d|||��t|��o#tj�t��S)Nz
/usr/sbin/csfFz--status�z/CSF unexpected retcode %d. stdout=%r, stderr=%r)
rrr r�FileNotFoundError�logger�warning�bool�existsr4)�csf_app�rcrJ�errs    r%�
is_runningrY{s������G�
�7�>�>�'�"�"���u�� �'�:�!6�7�7�7�7�7�7�7�7���C���������u�u�����	�A�v�v����=�r�3��	
�	
�	
��B�x�x�<�6�B�G�N�N�:�6�6�6s�A�
A�Ac�8�tt����S�N)r
rYr+r*r%�is_csf_is_running_syncr\�s���J�L�L�!�!�!r*�returnc��|K�t���d{V��r%td�����dkSdS)zW
    Return True if csf running and SMTP_BLOCK is enabled in csf
    :return: bool
    N�
SMTP_BLOCK�1F)rYr.r9r+r*r%�is_SMTP_block_enabledra�sJ����
�\�\�������1��l�#�#�'�'�)�)�S�0�0��5r*�ipc��bK�ddtj|��g}t|���d{V��dS)z9
    Unblock an IP and remove from /etc/csf/csf.deny
    �csfz--denyrmN�r�ip_net_to_stringr	�rb�cmds  r%�denyrmri��C�����*�b�1�"�5�5�
6�C�
�C�.�.���������r*c��bK�ddtj|��g}t|���d{V��dS)z>
    Remove an IP from the temporary IP ban or allow list
    rdz--temprmNrergs  r%�temprmrl�rjr*c��^K�t|���d{V��t|���d{V��dS)z<
    Unblock ip blocked either temporary or permanently
    N)rirl)rbs r%�unblockrn�sJ������*�*��������
��*�*���������r*c��<K�gd�}t|���d{V��dS)N)rdz--lfd�restart)r	)rhs r%�lfd_restartrq�s5����
%�
%�
%�C�
�C�.�.���������r*c��K�t�d||��tjt���d{V��dS)Nz*Error during csf --restartall, %r retry %s)rRrS�asyncio�sleep�CSF_RESTART_THROTTLE_DELAY)�e�is  r%�async_log_on_errorrx�sF����
�N�N�?��A�F�F�F�
�-�2�
3�
3�3�3�3�3�3�3�3�3�3r*�)�	max_tries�on_errorc��K�tt��5tjd��ddd��n#1swxYwYt	ddg���d{V��dS)Nz/etc/csf/csf.errorrdz--restartall)rrQr�unlinkr	r+r*r%�restart_allr~�s�����	�#�	$�	$�(�(�
�	�&�'�'�'�(�(�(�(�(�(�(�(�(�(�(����(�(�(�(�
�U�N�+�
,�
,�,�,�,�,�,�,�,�,�,s�8�<�<c#��K�t|dd���5}|D]1}|���}|r|�d��s|V��2	ddd��dS#1swxYwYdS)zsYield non-blank, non-comment lines.

    Ignore non-utf-8 content.
    Leading/trailing whitespace is removed.
    zutf-8�ignore)�encoding�errors�#N)�open�strip�
startswith)r�file�lines   r%�
_readlinesr��s�����
�d�W�X�	6�	6�	6��$��	�	�D��:�:�<�<�D��
�D�O�O�C�0�0�
��
�
�
��	���������������������s�5A�A�Ac���g}	t|��D�]�}|�d���}t|��dkrG|ddkr;|�t	|d��������st|��dk�r	t
|d��tj|d��rtj	|d��|d<d}t|��dkrHd|dvr>|d|d�
d��dzd����}|�|d|f����P#t$rDt�d�|���|����Y���wxYw���n=#t $r0t�d	�|����YnwxYw|S)
zs
    Load ips and networks from csf allow/deny file

    :param path: path to csf allow/deny file
    :return:
    rP��maxsplit�r�IncludeNr��#Cannot parse line {!r} from file {}�Can not open file {})r��split�len�extend�
ips_from_filer�rr�is_valid_ipv6_addr�convert_to_ipv6_network�find�append�
ValueErrorrR�debug�format�OSErrorrS)r�ipsr��parts�comments     r%r�r��s���
�C�<��t�$�$�	4�	4�D��J�J��J�*�*�E��5�z�z�Q���5��8�y�#8�#8��
�
�=��q����)9�)9�:�:�;�;�;�;��U���q���4��u�Q�x�(�(�(��,�U�1�X�6�6�H�#%�#=�e�A�h�#G�#G��a��#�G��5�z�z�Q���3�%��(�?�?�"'��(�5��8�=�=��+=�+=��+A�+C�+C�"D�"J�"J�"L�"L���J�J��a��'�2�3�3�3�3��"�����L�L�=�D�D� �J�J�L�L�$������������!�	4��,�<�<�<����-�4�4�T�:�:�;�;�;�;�;�<�����Js9�BF7�AE#�'A<F7�#A
F1�-F7�0F1�1F7�77G1�0G1c���g}	t|��D�]%}|�d���}t|��dkrG|ddkr;|�t	|d��������s	|�d��\}}}}|�d��\}}t
|��}n#t$rY��wxYw|�d��\}	}|dk�r@|d	k�r9|	d
k�r2|�d���}	t|d��tj
|d��rtj|d��|d<d}
t|��dkrHd|dvr>|d|d�d��dzd����}
|�
|||d|
f�����#t$rDt�d
�|���|����Y��!wxYw��'n=#t"$r0t�d�|����YnwxYw|S)zx
    Load open ports and ip from csf allow/ignore file

    :param path: path to csf allow/ignore file
    :return:
    rPr�r�rr��|�=�in�d�sNr�r�r�)r�r�r�r��ignore_ports_from_filer��intr�rrr�r�r�r�rRr�r�r�rS)rr�r�r�r;r<�portrb�port_direction�ip_directionr�s           r%r�r��s���
�C�*<��t�$�$�'	>�'	>�D��J�J��J�*�*�E��5�z�z�Q���5��8�y�#8�#8��
�
�1�%��(�.�.�2B�2B�C�C�D�D�D��
�-1�Z�Z��_�_�*��y�$��'+�z�z�#���$����4�y�y�����
�
�
���
���� "�x�x��}�}��L�"��T�!�!�"�c�)�)� �C�'�'��X�X�q�X�)�)��>��r�!�u�%�%�%��,�R��U�3�3�B� "� :�2�a�5� A� A��1��#�G��2�w�w�!�|�|��r�!�u���"$�Q�%��1��
�
�3���!�(;�(=�(=�">�"D�"D�"F�"F���J�J��e�R��U�G�<�=�=�=�=��"�����L�L�=�D�D� �J�J�L�L�$�������������9'	>��P�<�<�<����-�4�4�T�:�:�;�;�;�;�;�<�����Js_�BH;�AC	�H;�	
C�H;�C�AH;�AG'�)A>H;�'A
H5�1H;�4H5�5H;�;7I5�4I5c�n�g}t|D]$}|�t|�����%|Sr[)�CSF_IMUNIFY_IPLISTS_MAPPINGr�r�)�listnamer�rs   r%�
ips_from_listr�,s=��
�C�+�H�5�(�(���
�
�=��&�&�'�'�'�'��Jr*c���t��}t��}|s||fS|�d��}|D]�}|s�|�d��}gtt|���}t	|��dkr|�|d���`t	|��dkr#|�t
|������td|���||fS)z�
    Parses opened ports and ranges from line from csf.conf
    E.g. 22,80,443,2048:3072 -> ({22, 80, 442}, (2048, 3072))

    :param line:
    :return:
    �,�:rPrr�z Cannot parse following piece: %s)rEr��mapr�r��add�tupler�)r�rFr@�values�value�itemss      r%r:r:3s���
�E�E�E�
�U�U�F����f�}��
�Z�Z��_�_�F��H�H���	�����C� � ��"�#�c�5�/�/�"���u�:�:��?�?��I�I�e�A�h�����
��Z�Z�1�_�_��J�J�u�U�|�|�$�$�$�$��?��G�G�G��&�=�r*c��|ttfvsJ�|ttfvsJ�d�||�����S)z�
    Forms proper name of csf.conf parameter for connection
    E.g. TCP_IN, UDP_OUT


    :param proto:
    :param direction:
    :return:
    z{}_{})rrrrr��upper)r;r<s  r%r8r8PsN���S�#�J�������S�	�!�!�!�!��>�>�%��+�+�1�1�3�3�3r*c��t|��}d�tt|����}|rEt|��}d�d�|D����}d�||f��S|S)z
    Presents ports and port ranges in format,
    accepted in csf.conf

    :param ports:
    :param ranges:
    :return:
    r�c�^�g|]*}d�tt|������+S)r�)�joinr��str)�.0�rngs  r%�
<listcomp>z_pack_ports.<locals>.<listcomp>ls,��C�C�C��S�X�X�c�#�s�m�m�4�4�C�C�Cr*)�sortedr�r�r�)rFr@rI�ports_s�rs�ranges_ss      r%rDrD_sw��
����B��h�h�s�3��|�|�$�$�G�
��
�F�^�^���8�8�C�C��C�C�C�D�D���x�x��(�+�,�,�,��r*c��|D]<}|\}}tt||dz����}|�|���=|S)z�
    Merges ports and port ranges in single set

    :param ports: set of ports
    :param ranges: set of tuples (start_port, end_port)
    :return: set of ports included ports from ranges
    rP)rE�rangerC)rFr@rH�start�end�ports_from_ranges      r%�_merge_ports_and_rangesr�rsS���'�'���
��s��u�U�C�!�G�4�4�5�5��
���%�&�&�&�&��Lr*c�R�t|t��\}}t||��S)z\
    Read opened incoming ports from csf config

    :param proto: tcp/udp
    :return:
    )r?rr�)r;rFr@s   r%�incoming_portsr��s'���e�R�(�(�M�E�6�"�5�&�1�1�1r*c�d�|ttfvsJ�t|��t|��z
S)zg
    Difference between listening_ports and incoming_ports

    :param proto: tcp/udp
    :return:
    )rrrr�)r;s r%�closed_portsr��s4���S�#�J������5�!�!�N�5�$9�$9�9�9r*r[)Drsr'�logging�
contextlibr�typingrr�	ipaddressrrr�defence360agent.utils.kwconfigr�defence360agent.utilsr	r
rrr
r�im360.utils.validater�im360.utils.netrrrrr�CSF_CONFIG_ROOTrr�r4�CSF_IGNORE_FILE�
CSF_DENY_FILE�CSF_ALLOW_FILEr!rur��	getLoggerr/rRrTr�r,r.r?rKrNrYr\rarirlrnrqrxr~r�r�r�r�r:r8rDr�r�r�r+r*r%�<module>r�s���������������������������	�	�	�	�:�:�:�:�:�:�:�:�:�:�3�3�3�3�3�3�����������������$�#�#�#�#�#�>�>�>�>�>�>�>�>�>�>�>�>�>�>���
�W�\�\�/�:�
6�
6�
��'�,�,���=�=������_�j�9�9�
�����o�{�;�;��'�
����_��o�
.����

��	�8�	$�	$���d��#�����0�����X����	�	�	�04������.37������&
7�
7�
7� "�"�"��T������U�;��3�4������U�;��3�4������e�K��4�5��������4�4�4�

��-�1�/A�B�B�B�-�-�C�B�-�
�
�
�!�!�!�H3�3�3�l������:4�4�4�����&���2�2�2�:�:�:�:�:r*

Zerion Mini Shell 1.0